[App Check] Add short-lived token support to Debug Provider

Added a constructor to GACAppCheckDebugProvider with a limitedUse
parameter; when YES, this requests a short-lived App Check token with a
TTL of 5 minutes.

AppCheckCore/Sources/DebugProvider/API/GACAppCheckDebugProviderAPIService.h

@@ -32,13 +32,21 @@ NS_ASSUME_NONNULL_BEGIN
     : NSObject <GACAppCheckDebugProviderAPIServiceProtocol>
 
 /// Default initializer.
+///
+/// TODO(andrewheard): Remove or refactor the `limitedUse` parameter from this constructor when the
+/// short-lived (limited-use) token feature is fully implemented.
+///
 /// @param APIService An instance implementing `GACAppCheckAPIServiceProtocol` to be used to send
 /// network requests to the App Check backend.
 /// @param resourceName The name of the resource protected by App Check; for a Firebase App this is
 /// "projects/{project_id}/apps/{app_id}". See https://google.aip.dev/122 for more details about
 /// resource names.
+/// @param limitedUse If YES, forces a short-lived token with a 5 minute TTL.
 - (instancetype)initWithAPIService:(id<GACAppCheckAPIServiceProtocol>)APIService
-                      resourceName:(NSString *)resourceName;
+                      resourceName:(NSString *)resourceName
+                        limitedUse:(BOOL)limitedUse NS_DESIGNATED_INITIALIZER;
+
+- (instancetype)init NS_UNAVAILABLE;
 
 @end
 

AppCheckCore/Sources/DebugProvider/API/GACAppCheckDebugProviderAPIService.m

@@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN
 static NSString *const kContentTypeKey = @"Content-Type";
 static NSString *const kJSONContentType = @"application/json";
 static NSString *const kDebugTokenField = @"debug_token";
+static NSString *const kLimitedUseField = @"limited_use";
 
 @interface GACAppCheckDebugProviderAPIService ()
 
@@ -43,16 +44,22 @@ static NSString *const kDebugTokenField = @"debug_token";
 
 @property(nonatomic, readonly) NSString *resourceName;
 
+// TODO(andrewheard): Remove or refactor property when short-lived token feature is implemented.
+// When `YES`, forces a short-lived token with a 5 minute TTL.
+@property(nonatomic, readonly) BOOL limitedUse;
+
 @end
 
 @implementation GACAppCheckDebugProviderAPIService
 
 - (instancetype)initWithAPIService:(id<GACAppCheckAPIServiceProtocol>)APIService
-                      resourceName:(NSString *)resourceName {
+                      resourceName:(NSString *)resourceName
+                        limitedUse:(BOOL)limitedUse {
   self = [super init];
   if (self) {
     _APIService = APIService;
     _resourceName = resourceName;
+    _limitedUse = limitedUse;
   }
   return self;
 }
@@ -89,10 +96,13 @@ static NSString *const kDebugTokenField = @"debug_token";
   return [FBLPromise onQueue:[self backgroundQueue]
                           do:^id _Nullable {
                             NSError *encodingError;
-                            NSData *payloadJSON = [NSJSONSerialization
-                                dataWithJSONObject:@{kDebugTokenField : debugToken}
-                                           options:0
-                                             error:&encodingError];
+                            NSData *payloadJSON =
+                                [NSJSONSerialization dataWithJSONObject:@{
+                                  kDebugTokenField : debugToken,
+                                  kLimitedUseField : @(self.limitedUse)
+                                }
+                                                                options:0
+                                                                  error:&encodingError];
 
                             if (payloadJSON != nil) {
                               return payloadJSON;

AppCheckCore/Sources/DebugProvider/GACAppCheckDebugProvider.m

@@ -54,18 +54,33 @@ static NSString *const kDebugTokenUserDefaultsKey = @"FIRAAppCheckDebugToken";
                        resourceName:(NSString *)resourceName
                              APIKey:(nullable NSString *)APIKey
                        requestHooks:(nullable NSArray<GACAppCheckAPIRequestHook> *)requestHooks {
+  return [self initWithServiceName:serviceName
+                      resourceName:resourceName
+                           baseURL:nil
+                            APIKey:APIKey
+                        limitedUse:NO
+                      requestHooks:requestHooks];
+}
+
+- (instancetype)initWithServiceName:(NSString *)serviceName
+                       resourceName:(NSString *)resourceName
+                            baseURL:(nullable NSString *)baseURL
+                             APIKey:(nullable NSString *)APIKey
+                         limitedUse:(BOOL)limitedUse
+                       requestHooks:(nullable NSArray<GACAppCheckAPIRequestHook> *)requestHooks {
   NSURLSession *URLSession = [NSURLSession
       sessionWithConfiguration:[NSURLSessionConfiguration ephemeralSessionConfiguration]];
 
   GACAppCheckAPIService *APIService =
       [[GACAppCheckAPIService alloc] initWithURLSession:URLSession
-                                                baseURL:nil
+                                                baseURL:baseURL
                                                  APIKey:APIKey
                                            requestHooks:requestHooks];
 
   GACAppCheckDebugProviderAPIService *debugAPIService =
       [[GACAppCheckDebugProviderAPIService alloc] initWithAPIService:APIService
-                                                        resourceName:resourceName];
+                                                        resourceName:resourceName
+                                                          limitedUse:limitedUse];
 
   return [self initWithAPIService:debugAPIService];
 }

AppCheckCore/Sources/Public/AppCheckCore/GACAppCheckDebugProvider.h

@@ -76,6 +76,28 @@ NS_SWIFT_NAME(AppCheckCoreDebugProvider)
                              APIKey:(nullable NSString *)APIKey
                        requestHooks:(nullable NSArray<GACAppCheckAPIRequestHook> *)requestHooks;
 
+/// Initializer with support for short-lived tokens.
+///
+/// TODO(andrewheard): Remove or refactor this constructor when the short-lived (limited-use) token
+/// feature is fully implemented.
+///
+/// @param serviceName A unique identifier to differentiate storage keys corresponding to the same
+/// `resourceName`; may be a Firebase App Name or an SDK name.
+/// @param resourceName The name of the resource protected by App Check; for a Firebase App this is
+/// "projects/{project_id}/apps/{app_id}".
+/// @param baseURL The base URL for the App Check service; defaults to
+/// `https://firebaseappcheck.googleapis.com/v1` if nil.
+/// @param APIKey The Google Cloud Platform API key, if needed, or nil.
+/// @param limitedUse If YES, forces a short-lived token with a 5 minute TTL.
+/// @param requestHooks Hooks that will be invoked on requests through this service.
+/// @return An instance of `AppCheckDebugProvider` .
+- (instancetype)initWithServiceName:(NSString *)serviceName
+                       resourceName:(NSString *)resourceName
+                            baseURL:(nullable NSString *)baseURL
+                             APIKey:(nullable NSString *)APIKey
+                         limitedUse:(BOOL)limitedUse
+                       requestHooks:(nullable NSArray<GACAppCheckAPIRequestHook> *)requestHooks;
+
 /** Return the locally generated token. */
 - (NSString *)localDebugToken;
 

AppCheckCore/Tests/Unit/DebugProvider/GACAppCheckDebugProviderAPIServiceTests.m

@@ -48,7 +48,8 @@ static NSString *const kResourceName = @"projects/test_project_id/apps/test_app_
 
   self.debugAPIService =
       [[GACAppCheckDebugProviderAPIService alloc] initWithAPIService:self.mockAPIService
-                                                        resourceName:kResourceName];
+                                                        resourceName:kResourceName
+                                                          limitedUse:NO];
 }
 
 - (void)tearDown {